Comments (9)
These are all good questions
- Some of my customers want to exclude certain features from builds. Is this tool feature aware?
Not currently. In this issue, I outlined a few potential areas I want to investigate. It's one of my highest priority items after we complete the work to integrate the library with the cargo plugin.
- Can the tool exclude build-only dependencies? I've noticed that by default is includes them.
Not currently. This somewhat falls under the first point, but it's probably worth having a separate GitHub issue to track it.
- Is the purl standardized for Rust somewhere in the spec? What should the purl be for crates not distributed via crates.io?
The purl specification does not indicate a required type
specific to Rust, beyond
type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.
We could interpret this to mean that cargo
is the "protocol", which would cover third party repositories. This probably needs its own GitHub issue for tracking.
from cyclonedx-rust-cargo.
Thanks. I believe we can close this issue now as everything has either been tackled or there are more specific issues.
Unless there are any objections I'll do so in a few days.
from cyclonedx-rust-cargo.
Thanks for these detailed answers!
from cyclonedx-rust-cargo.
We should now exclude build only dependencies in main and #512 and #513 will help with selecting features and targets
from cyclonedx-rust-cargo.
To clarify: only dev-dependencies are excluded. Build dependencies are included in the SBOM because unlike dev-dependencies they can influence the final binary.
from cyclonedx-rust-cargo.
Ah yes, sorry, my bad.
from cyclonedx-rust-cargo.
Including build dependencies make sense! Thanks for the update.
from cyclonedx-rust-cargo.
So that should fix points 1 and 2 of your list. I don't think we have tackled purls for non crates things yet anywhere but I might have missed it as well.
from cyclonedx-rust-cargo.
There is a tracking issue fir pURL from sources other than crates.io: #501
I am not aware of any standardization around that though.
from cyclonedx-rust-cargo.
Related Issues (20)
- Download crates in parallel HOT 1
- Ship 0.4.0 HOT 1
- SBOM configuration via `Cargo.toml` appears harmful HOT 2
- Allow emitting SBOM for a specific platform
- Include information on dependency origin (crates.io, git, custom registry) HOT 1
- `bom-ref` field is not actually unique
- Allow selecting Cargo features: `--no-default-features`, `--all-features`, `--features=...`
- Reproducible SBOMs
- Include hashes for components HOT 2
- `cargo cyclonedx` v0.4.0 release checklist HOT 1
- Record the target platform in the SBOM
- Don't log non-fatal issues as errors
- Capture data only available during the build process HOT 3
- Add support for `cargo binstall` HOT 8
- Add a "-V" / "--version" flag to print the current version
- Make bom-ref use relative paths for workspace items as well HOT 6
- Provide an easy way to map an artifact to a SBOM
- Present `cargo metadata` output to the user even when there are no errors
- Use a license id or name instead of an expression if there is only one license
- Support `license-file`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-rust-cargo.